CVE-2005-1932 Information
Description
Lpanel 1.59 and earlier and other versions before 1.597 allows remote authenticated users to modify certain critical variables and (1) modify DNS settings for arbitrary domains via the domain parameter to diagnose.php (2) close open or respond to arbitrary support tickets via the close open or pid parameter to view_ticket.php (3) obtain sensitive information on arbitrary invoices via the inv parameter to viewreceipt.php or (4) modify domain information for arbitrary domains via the editdomain parameter to domains.php.
Reference
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034414.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034415.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034416.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034417.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034418.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034419.html http://secunia.com/advisories/15589/ http://www.lpanel.net/changelog.php http://www.securityfocus.com/bid/13869
Share on: